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DETAILED ACTION 

1 . This action is responding to application remarks filed 1 2-3-2008. 

2. Claims 1 - 4, 6 - 16, 18 - 26, 28 - 34 are pending. Claims 5, 17, 27 have been 
cancelled. Claims 1, 13, 23 are independent. This application was filed 12-23-2003. 

Response to Arguments 

3. Applicant's arguments filed 1 2-3-2008 have been fully considered but were not 
persuasive. 

3.1 Applicant argues that the referenced prior art does not disclose, transmitting a 
session ID and a timestamp, (see Remarks Pages 12-16) 

The Williams prior art discloses the transfer of a timestamp parameter (within the 
token data structure) between two network-connected systems, (see Williams 
paragraph [0050], lines 1-5: token may include an optional timestamp) 

And, the Woods prior art discloses the direct transfer of session state parameters 
such as a session ID parameter and a time/date parameter between network-connected 
entities, (see Wood paragraph [0050], lines 15-17: some parameters can be passed 
directly between systems) 

The Lennon prior art discloses the transfer of session state including session state 
information between two network-connected systems. The Lennon prior art dearly 
discloses the transfer of a session identifier indicating a particular session between the 
two network-connected systems, (see Lennon col. 54, lines 37-40: transmit a session 
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identifier (directly) from a first device to a second device; coi. 54, lines 45-50; col. 56, 
lines 1-6: redirecting session output from first device to second device; transfer session 
information (session ID and additional session state infomriation) between two servers) 

All references (Williams, Wood, Lennon) disclose the transfer of session 
information such as identifiers, time/date information such as timestamps, and session 
state information between network-connected system (servers, ciients). Cieariy, a 
timestamp is a parameter available for transfer between systems in the management of 
session information. 

3.2 Applicant argues that the referenced prior art does not disclose, dependent 
claims, (see Remarks Page 1 3) 

The successful responses to arguments for independent claims, also successfully 

respond to the current arguments against the dependent claims. 

3.3 The Wood prior art discloses redirection methods for the transmission of a 
designated session token between servers without storage of the session token at the 
browser, (see Woods paragraph [0050], lines 12-17; paragraph [0051], lines 13-16) 

Each obviousness combination indicates the claim limitation(s) the combined prior 
art references teach. In addition, a cited passage from the referenced prior art indicates 
the motivation for the obviousness combination. Each obviousness combination's 
disclosure is equivalent to the Applicant's claimed limitation(s) for the claimed invention. 

It is not a requirement that the referenced prior art solve the same problem as 
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claimed invention in order to be combinable. There are three criteria for combination: 
(1) same file of endeavor (which is session management); (2) motivation for the 
combination (stated in Office Action); and (3) successful disclosure of claim limitation 
due to prior art combination. All three criteria are satisfied by the Office Action, (see 
Williams paragraph [0016], lines 1-4; paragraph [0036], lines 1-2; see Woods paragraph 
[0047], lines 6-14; paragraph [0057], lines 21-24; see Bachman col. 1, lines 65-67: 
same field of endeavor: session management) 

3.3 The Williams prior art invention discloses a database for the storage of session 
management information, (see Williams paragraph [0037], lines 10-12; paragraph 
[0075], lines 12-16: database, storage). In addition, the Williams prior art discloses the 
capability to redirect service requests from one server to another server for service 
completion, (see Williams paragraph [0067], lines 12-18: redirection of session token 
and session information, redirection request for resources) 

The Williams prior art discloses a system for secure session management within a 
collection of web server systems (web farm) using a session token. The claim 
limitations disclose that the token is renewed after each use. (see Specification Page 2, 
Paragraph [0006], lines 7-9) in the Williams prior art a session management web 
service updates the session token with each received request, (see Williams 
paragraph [0016], lines 7-13; paragraph [0016], lines 4-7: generate new encrypted 
session token and transfer) In addition, the Williams prior art discloses the capability to 
encrypt and decrypt the designated session token. 
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The Williams and Woods prior art combination discloses that if the request must be 
redirected to a different server where the requested resource is located (see Wiliiams 
paragraph [0067], lines 12-18: redirection of session token and session information, 
redirection request for resources) then the decrypted session token is transmitted to the 
new server (see Wood paragraph [0044], lines 8-14; paragraph [0051], lines 1-3: 
session token with redirection request) and the session management web service 
generates a new session token to be used in place of the previous session token. The 
new session token is transmitted with the requested web resource. 

The Williams prior art discloses that the server is utilized for authentication and 
session token(s) generation. Also, the Williams prior art discloses the capability for 
session tokens to be encrypted and decrypted during session token processing, (see 
Williams paragraph [0051], lines 14-16: encryption/decryption utilized for security) 
Once client access procedures are completed, the Williams prior art processes service 
requests to access a required resource. 

Claim Rejections - 35 USC § 103 

4. The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 1 02 of this title, if the differences between the subject matter sought to be patented and the prior art 
are such that the subject matter as a whole would have been obvious at the time the invention was made 
to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be 
negatived by the manner in which the invention was made. 
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5. Claims 1 - 6, 9 - 18, 21 - 28, 31 - 34 are rejected under 35 U.S.C. 103(a) as 
being unpatentable over Williams et al. (US PGPUB No. 20030005118) in view of 
Wood et al. (US PGPUB No. 20040210771) and further in view of Lennon et al. (US 
Patent No. 7,099,946). 

With Regards to Claims 1, 23, Williams discloses a method, computer program 
product of secure session management for a web farm, the web farm including a first 
server and a second server, the second server having a requested web page, the 
method comprising: 

a) receiving, at the first server, a request for the requested web page from a 
browser, said request including an encrypted session token associated with a 
session; (see Williams paragraph [0016], lines 1-4: session management 
(associated with a session); paragraph [0019], lines 1-5: request processing; 
paragraph [0016], lines 1-4: session token; paragraph [0050], lines 10-16; 
paragraph [0051], lines 14-16: encryption utilized for security; paragraph [0016], 
lines 1-4: program product) 

b) decrypting said encrypted session token at the first server to obtain a session 
information; (see Williams paragraph [0020], lines 8-1 1 : validate (must decryption 
required to process encrypted information) session information, process 
encrypted session information; paragraph [0016], lines 1-4: program product) 

d) verifying said session, (see Williams paragraph [0020], lines 8-11; paragraph 
[0074], lines 7-1 1 : validate session token information, client and session 
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identification information; paragraph [0016], lines 1-4: program product) 

Williams discloses wherein redirecting said request to the second server, (see 
Williams paragraph [0067], lines 12-18: redirection of session information) Williams 
does not specifically disclose including the transmission of said session token to the 
second server in a redirect request. 

However, Wood discloses: 

c) including transmitting said session token to the second server; (see Wood 
paragraph [0044], lines 8-14; paragraph [0051], lines 1-3: session token with 
redirection request) 

It would have been obvious to one of ordinary skill in the art to modify Williams 
for transmitting a session token and session state information to a second server as 
taught by Wood. One of ordinary skill in the art would have been motivated to 
employ the teachings of Wood in order to enable the capability to upgrade session 
credentials and maintain session continuity, (see Wood paragraph [0016], lines 11- 
16: " ... The session upgrading means upgrading tine session by obtaining and 
authenticating a second credential to allow access to the target information resource 
if the first authenticated credential is inconsistent with the trust level requirement. 
The session upgrade means maintains session continuity across credential 
upgrades. ...") 

Williams-Woods does not specifically disclose direct transmission of a session ID 
and additional session state information such as a time/date parameter between two 



Application/Control Number: 10/733,326 Page 8 

Art Unit: 2436 

systems. However, Lennon discloses for a); b): wherein including transmitting said 
session ID and timestamp directly to the second server, (see Lennon col. 54, lines 
37-40: transmit a session identifier (directly) from a first device to a second device; 
col. 54, lines 45-50; col. 56, lines 1-6: redirecting session output from first device to 
second device; transfer session information (session ID and additional session state 
information) between two servers) 

It would have been obvious to one of ordinary skill in the art to modify Williams- 
Woods to directly transmit a session ID and timestamp (session state information) to 
a second server as taught by Lennon. One of ordinary sl<ill in the art would have 
been motivated to employ the teachings of Lennon in order to save time and greatly 
reduce aggregation due to customer not having to use a different search engine 
interface for searching each content provider, (see Lennon col. 1 , line 67 - col. 2, 
line 7: "... If the potential customer wanted to perform a search across several 
different content providers/distributors, the potential customer would have to visit the 
Web site and use the search engine of each of the different content 
providers/distributors. Such actions are often time consuming and annoying 
because the potential customer must use a different search engine interface each 
time. ...") 

With Regards to Claims 2, 24, Williams discloses the method, computer program 
product claimed in claims 1, 23, further including creating a new session token, 
encrypting said new session token at the second server to produce a new encrypted 
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session tol<en, and transmitting a response to said browser from the second server, 
wherein said response includes said new encrypted session token, (see Williams 
paragraph [0016], lines 7-13; paragraph [0016], lines 4-7: generate new encrypted 
session token and transfer; paragraph [0016], lines 1-4: software implementation, 
program product) 

With Regards to Claims 3, 5, 15, 17, 25, 27, Williams discloses the method, system, 
computer program product claimed in claims 2, 13, 14, 23, 24, wherein said creating a 
new session token includes generating a new session ID and updating said timestamp. 
(see Williams paragraph [0062], lines 9-16; paragraph [0050], lines 1-5: session token, 
session ID and timestamp; paragraph [0016], lines 1-4: software implementation, 
program product) 

With Regards to Claims 4, 16, 26, Williams discloses the method, system, computer 
program product claimed in claims 2, 14, 24, further including a step of updating a 
common session database by replacing said session information with said new session 
token in said common session database, (see Williams paragraph [0069], lines 9-15: 
database for session token information storage paragraph [0016], lines 1-4: software 
implementation, program product) 

And, Lennon discloses wherein including transmitting said session ID and timestamp 
directly to the second server, (see Lennon col. 54, lines 37-40: transmit a session 
identifier from a first device to a second device; col. 54, lines 45-50; col. 56, lines 1-6: 
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redirecting session output from first device to second device; transfer session 
information (session ID and additional session information) between two servers) 

It would have been obvious to one of ordinary skill in the art to modify Williams to 
transmit said session ID and timestamp (session state information) directly to the 
second system as taught by Lennon. One of ordinary skill in the art would have been 
motivated to employ the teachings of Lennon in order to save time and greatly reduce 
aggregation due to customer not having to use a different search engine interface for 
searching each content provider, (see Lennon col. 1, line 67 - col. 2, line 7) 

With Regards to Claims 6, 18, 28, Williams discloses the method, system, computer 
program product claimed in claims 1,17, 23, wherein a common session database 
contains a stored session ID and a stored timestamp, and wherein said verifying 
includes comparing said session ID and said timestamp with said stored session ID and 
said stored timestamp. (see Williams paragraph [0069], lines 9-15: database for session 
token information storage; paragraph [0062], lines 9-16; paragraph [0050], lines 1-5: 
session token, session ID and timestamp; paragraph [0020], lines 8-1 1 : verification 
session information paragraph [0016], lines 1-4: software implementation, program 
product) 

With Regards to Claims 9, 21, 31, Williams discloses the method, system, computer 
program product claimed in claims 1,13, 23, wherein said step of transmitting includes 
incorporating said session information into a URL. (see Williams paragraph [0044], lines 
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8-12: URL processing tecliniques utilized paragraph [0016], lines 1-4: software 
implementation, program product) 

And, Lennon discloses wherein includes incorporating said session ID and timestamp 
into a URL. (see Lennon col. 54, lines 37-40: transmit a session identifier from a first 
device to a second device; col. 54, lines 45-50; col. 56, lines 1-6: redirecting session 
output from first device to second device; transfer session information (session ID and 
additional session information) between two servers) 

It would have been obvious to one of ordinary skill in the art to modify Williams to 
transmit said session ID and timestamp (session state information) directly to the 
second server as taught by Lennon. One of ordinary skill in the art would have been 
motivated to employ the teachings of Lennon in order to save time and greatly reduce 
aggregation due to customer not having to use a different search engine interface for 
searching each content provider, (see Lennon col. 1 , line 67 - col. 2, line 7) 

With Regards to Claims 10, 32, Williams discloses the method, computer program 
product claimed in claims 1, 23, wherein a session management web service performs 
said step of verifying, said session management web service being accessible to said 
first server and said second server, and wherein said verifying includes comparing said 
session information with stored session data, (see Williams paragraph [0020], lines 8- 
1 1 : session information verification paragraph [0016], lines 1-4: software 
implementation, program product) 
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And, Lennon discloses wlierein includes transferring said session ID and timestamp 
between systems for comparison, (see Lennon col. 54, lines 37-40: transmit a session 
identifier from a first device to a second device; col. 54, lines 45-50; col. 56, lines 1-6: 
redirecting session output from first device to second device; transfer session 
information (session ID and additional session information) between two servers) 

It would have been obvious to one of ordinary skill in the art to modify Williams to 
transmit said session ID and timestamp (session state information) directly to the 
second server as taught by Lennon. One of ordinary skill in the art would have been 
motivated to employ the teachings of Lennon in order to save time and greatly reduce 
aggregation due to customer not having to use a different search engine Interface for 
searching each content provider, (see Lennon col. 1 , line 67 - col. 2, line 7) 

With Regards to Claims 11, 33, Williams discloses the method, computer program 
product claimed in claims 10, 32, wherein the web farm further includes a common 
session database containing said stored session data, (see Williams paragraph [0013], 
lines 5-9; paragraph [0036], lines 3-4: web farms, set of interconnected web servers 
paragraph [0016], lines 1-4: software implementation, program product) 

With Regards to Claims 12, 22, 34, Williams discloses the method, system, computer 
program product claimed in claims 1,13, 23, wherein said requested web page includes 
a web resource selected from the group including an applet, an HTML page, a Java 
server page, and an Active server page, (see Williams paragraph [0044], lines 3-8; 
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paragraph [0042], lines 8-15: protected resource, a HTML web page paragraph [0016], 
lines 1-4: software implementation, program product) 

With Regards to Claim 13, Williams discloses a system for secure session 

management, the system being coupled to a network and receiving a request for a 
requested web page from a browser via the network, the request including an encrypted 
session token, the system comprising: 

b) a second server including the requested web page; (see Williams paragraph 
[0013], lines 5-9: multiple servers; paragraph [0044], lines 3-8; paragraph [0042], 
lines 8-15: resource requested, a HTML web page) 

c) a common session database including stored session data; (see Williams 
paragraph [0069], lines 9-15: database for session token information storage) 

Also, Williams discloses: 

a) a first server including a first request handler for receiving the request and 
decrypting the encrypted session token to produce a session information, (see 
Williams paragraph [0013], lines 5-9; paragraph [0050], lines 10-16: multiple 
servers, encrypted; paragraph [0020], lines 8-1 1 : validate (i.e. must decrypt in 
order to process) session information) 

d) a session management web service, accessible to said first server and said 
second server and including a validation component for comparing said session 
token with said stored session data; (see Williams paragraph [0020], lines 8-1 1 : 
session verification information) 
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Williams discloses wherein said first request handler adapted to redirect the request 
to said second server, (see Williams paragraph [0067], lines 12-18: redirection 
capabilities) Williams does not specifically disclose the transfer of session state 
information between two servers. 
However, Wood discloses: 

e) transmit the session information to said second server, (see Wood paragraph 
[0044], lines 8-14; paragraph [0051], lines 1-3: session token with redirection 
request; paragraph [0050], lines 15-17: direct transfer of parameters between two 
systems) 

It would have been obvious to one of ordinary skill in the art to modify Williams 
to enable including transmitting said session token to the second server as taught by 
Wood. One of ordinary skill in the art would have been motivated to employ the 
teachings of Wood in order to enable the capability to upgrade session credentials 
and maintain session continuity, (see Wood paragraph [0016], lines 11-16) 

And, Lennon discloses wherein includes transmitting said session ID and timestamp 
between systems, (see Lennon col. 54, lines 37-40: transmit a session identifier from 
a first device to a second device; col. 54, lines 45-50; col. 56, lines 1-6: redirecting 
session output from first device to second device; transfer session information 
(session ID and additional session information) between two servers) 

It would have been obvious to one of ordinary skill in the art to modify Williams 
to transmit said session ID and timestamp directly to the second server as taught by 
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Lennon. One of ordinary skill in the art would have been motivated to employ the 
teachings of Lennon in order to save time and greatly reduce aggregation due to 
customer not having to use a different search engine interface for searching each 
content provider, (see Lennon col. 1 , line 67 - col. 2, line 7) 

With Regards to Claim 14, Williams discloses the system claimed in claim 13, wherein 
said session management web service includes a token generator for creating a new 
session token for said second server, and wherein said second server includes a 
second request handler, said second request handler encrypting said new session 
token to produce a new encrypted session token and transmitting a response to said 
browser, wherein said response includes said new encrypted session token, (see 
Williams paragraph [0016], lines 7-10; paragraph [0016], lines 4-7: new session token 
generated and transferred; paragraph [0050], lines 10-16; paragraph [0051], lines 14- 
16: encrypted session token information) 

6. Claims 7, 8, 10, 20, 29, 30 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Williams-Wood-Lennon and further in view of Bachman et al. (US 
Patent No. 5,907,621). 

With Regards to Claims 7, 19, 29, Williams discloses the method, system, computer 
program product claimed in claims 1,14, 23. (see Williams paragraph [0050], lines 1-5 : 
time parameter usage and processing; paragraph [0016], lines 1-4: software 
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implennentation, program product) Williams does not specifically disclose a time out 
processing capability. However, Bachman discloses wherein including determining 
whether a session has timed out, said step of determining including determining an 
elapsed time between said timestamp and a current server time, and comparing said 
elapsed time with a predetermined maximum time to determine whether said session 
has timed out. (see Bachman col. 1, lines 65-67: session management; col. 4, lines 11- 
17; col. 6, lines 10-19: process time out condition) 

It would have been obvious to one of ordinary skill in the art to modify Williams to 
process a time out condition as taught by Bachman. One of ordinary skill in the art 
would have been motivated to employ the teachings of Bachman in order to enable the 
capability to create a secure communications session between server and client 
systems and avoid distracting the client with the placement of token information within 
the page, (see Bachman col. 1 , lines 65-67: " ... An advantage of the present invention 
is that a secure user session can be established between an internet server and a 
browser at an unsecured client. ... "; col. 2, lines 15-17; "... To avoid distracting the 
user, the token is earned in a field of the page that is normally not displayed in the 
presentation space. ...") 

With Regards to Claims 8, 20, 30, Williams discloses the method, system, computer 
program product claimed in claims 7, 19, 29. (see Williams paragraph [0050], lines 1-5: 
time parameter usage and processing; paragraph [0016], lines 1-4: software 
implementation, program product) Williams does not specifically disclose a time out 
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processing capability. However Bacliman discloses wherein includes closing said 
session if said session has timed out. (see Bachman col. 1, lines 65-67: session 
management; col. 4, lines 11-17; col. 6, lines 10-19: process time out condition, session 
erased, closed) 

It would have been obvious to one of ordinary skill in the art to modify Williams to 
process a time out condition as taught by Bachman. One of ordinary skill in the art 
would have been motivated to employ the teachings of Bachman in order to enable the 
capability to create a secure communications session between server and client 
systems and avoid distracting the client with the placement of token information within 
the page, (see Bachman col. 1, lines 65-67; col. 2, lines 15-17) 

Conclusion 

THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1 .1 36(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 
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Any inquiry concerning tliis communication or earlier communications from the 
examiner should be directed to Carlton V. Johnson whose telephone number is 571- 
270-1032. The examiner can normally be reached on Monday thru Friday , 8:00 - 
5:00PM EST. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Nasser Moazzami can be reached on 571-272-4195. The fax phone 
number for the organization where this application or proceeding is assigned is 571- 
273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

/Nasser G Moazzami/ Carlton V. Johnson 

Supervisory Patent Examiner, Art Unit 2436 Examiner 

Art Unit 2436 



CVJ 

March 2. 2009 
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